Threats to Data… and why this matters

Richard Henson

Worcester Business School

r.henson@worc.ac.uk

January 2015

By the end of this session you should be able to:

Explain the meanings of some regularly used security terms

Relate the process of logging on to file, folder, hardware, service access

Explain how management of access for many users on a network can be simplified

Explain why even small organisations are being targeted by hackers

Computers and Organisations

Handling data and services is completely different ball game to the PC at home or possibly on a small home peer-peer network

After people, information is the most important thing an organisation has… nowadays most of that information is held

on computer it therefore needs to be protected!!!

Some Information Security Acronyms

CIA Confidentiality, Integrity, Availability

PAIN Privacy, Authentication/Availability, Integrity,

Non-repudiation AAA

Authentication, Authorisation, Accounting

Why do an organisation’s computers need security?

Privacy: some data must (by law) be kept private personal data financial transaction data commercially sensitive data

That data MUST be stored in a safe place!!! preferably underground in a bomb-proof

container… cost???

usual compromise is a securely locked room access only via computer network

Alternative… The Cloud

Use a third party to look after the data for you, via the Internet

No longer need a secure facility… Someone else doing that for you

Problem(s)?

Why bother with security?

Integrity: data must not be modified improperly fraud: adding large numbers to your bank balance employee error: accidentally typing in the wrong

number of noughts… Means that important data needs to be backed

up preferably off-site (another Cloud?) also good practice in case something happened to

that securely locked room

Why do an organisation’s computers need security?

Accessibility: data must be there otherwise they can’t do their job, or do

their studying… BUT just for those who need it

prevention of deletion and/or corruption of something private, confidential, or just plain important…

Threats to Computers

Hackers Try to gain access to computers, either ‘for fun’ or for

illicit financial gain Cyberterrorists

Try to gain access to computers for political or commercial reasons

Disgruntled Employees Revenge on the company

Accidents & employee error power failure, lack of concentration, etc.

Computer Security Basics

Rule Number 1: Don’t let anyone near your computer(s) includes tablets & smartphones…

This was easy when the only computers were the size of a large room… the desktop computer revolution was based

on convenience NOT security

Security: The Basics

Rule Number 2: Don’t let anyone have access to any more of your information than they need…

can be difficult to protect a local computer much easier to protect on a network server

(or in the cloud)

Managing Rule #1

Keep computers in locked rooms or boxes If people can’t get physical contact, it is much

more difficult to get at the information Keep network hardware locked away as well

access to a network means access to all the computers on that network

this means that security is more difficult on a wireless network

Managing Rule #2

Passwords for logins enforce regular changes

Restrict access to folders and files as appropriate

Encrypt messages, especially those sent over wireless connections

Importance of Logging On

Generally associated with client-server systems

Principles should be used on individual computers

E.g. Microsoft Windows… peer-peer networks use single system logon

management of file security is local client-server networks called domains

management of local file security can be either local or remote

Managing Logging On

Microsoft tries to take a flexible approach log on locally or (if available) log on to domain

Either way, user access needs to be managed so: Everyone can access what they need to access People can’t see what they shouldn’t see…

What about Apple? What about Linux?

“Groups” of Users

For ease of user management, access to resources, files, services controlled through groups that the user belongs to: “Administrators” group gives maximum access “Users” group gives limited access Other default groups between these extremes

New groups can be defined by local machine/domain administrators

Creating a Local Windows User

New users set up using a wizard only available to users with local sufficient

privileges

Account created on local machine data associated with that account held on

local machine…

Domain Users

Account created on a domain controller account details kept in domain database

should be replicated between all domain controllers

User Manager displays user accounts: Local computer - list of existing local

accounts Domain controller – list of existing domain

accounts

User groups available by default:

Tries to anticipate general network needs e.g. on a Domain…

Administrators, Printer Operators Server Operator, Backup Operator Users, etc…

Rule: don’t give a user any more rights than they actually need

Domain Controllers – Serving the Domain Servers that authenticate users…

Each Domain Controller should have a copy of the domain user management (SAM) database: each must be able to log on and log off any user SAM databases on domain controllers need to be

regularly synchronised User profiles normally kept on one domain

controller, and backed up to another for fault tolerance

User profiles

Stores user information when they log off Local machine:

Local profile data stored securely on local machine, and retrieved next time user logs on

Domain Controller: Domain profile data stored securely on domain

controller, and retrieved next time user logs on

Types of Domain Profile Two types:

roaming profiles mandatory profiles

When user successfully logged on: copy of profile sent from domain controller to local

workstation profile stored locally on C drive in a secure folder

When user logs off: copy of locally stored profile sent back to server existing server profile overwritten Locally stored profile deleted

Mandatory v Roaming Domain Profiles

Mandatory Profiles: keeps a common desktop for all user settings lost when user logs out

Roaming Profiles: user settings not lost when user logs out Next time user logs on (perhaps at a different

machine) user gets the same desktop as when they logged out

System Profiles

Similar principle to network user profiles, but settings apply to individual systems as opposed to individual users

As with network profiles, user desktop controlled by overwriting registry settings on the local system… (!?)

Windows File Systems (1)

FAT32 More efficient than NTFS for small partitions No file level security!!! (say no more…) Can only impose security remotely through

shares Mainly kept for backward compatibility

Windows 2000 File Systems (2) NTFS

File names up to 255 characters, not case sensitive

File and directory level security More efficient storage than FAT for partitions

>400Mb Good file compression Good recoverability, through transaction logging Automatic cluster remapping if a bad cluster is

identified Support for Apple-Mac files

Users, Groups, Security, and NTFS partitions

Any file or folder on an NTFS partition will have file permissions imposed

Typical permissions: No Access Read only Read and Execute Write Modify Ownership/Full Control

Much wider range of permissions available

Allocation of File Permissions By default, folders have “everyone”

access generally not a good idea! access according to group gives greater

control Group membership easily removed,

replaced by other groups e.g.: Administrators Backup Operators

Allocation of File Permissions

Folder permissions for a user will depend on their group membership … individual users can ALSO have their own unique

permissions GENERALLY not recommended

Files assume permissions & user rights of their folder users get file access depending on groups they have

been allocated to as with folders, individual users can be given unique file

access settings

Local, Domain Groups and File Permissions

For local login local users

allocated to local groups allocated to domain groups

For domain login: Domain users

allocated to local groups allocated to domain groups

Combining Permissions Individual users may be allocated to a

number of groups For any folder, the permissions given to

those groups may be different Their permissions to a folder when

logged on are always based on an “addition” of all group permissions for that user. Great CARE required!

Combining Permissions

Example of the principle of “addition”: Fred is a member of the groups PRINT

OPERATORS and USERS Users has READ access to folder

ACCOUNTS Print Operators has CHANGE access to

same folder Fred therefore has…………… CHANGE

access to ACCOUNTS

Inheritance and Permissions

By default, any created subfolder will have the same permissions as the parent folder

However, the user that created the subfolder will have OWNERSHIP This prevents other users deleting files or

otherwise interfering without the owner’s granted permission

Both OWNERSHIP and INHERITANCE can be overridden by users with sufficient (administrative) privileges

Move on 15 years…

Everyone using the Internet & World wide web goes even further through web 2.0 (Social

Media) Businesses share data/apps with partners

for “business reasons” Vast amounts of data can be stored on

portable devices…

The Hyperconnected World

High Level Threat: The Reality

UKcritical

infrastructurehackerXX

Internet…(900 million Gateways!)

Known for some years…

In April 2009, hackers accessed data concerning technical details of a US govt fighter jet via networks with supply chain partners http://www.nextgov.com/nextgov/ng_20090421_4305.

php

Conclusion (US gov): “…there needs to be a new-order requirement on companies doing business with the federal government.”

If this could happen in the US… UK’s critical infrastructure is potentially

under threat… from its business partners!

SMEs often don’t even know they’ve been hacked… why not? what should they do? what do they do? which laws will have been broken?

But why would hackers go after individuals?

Nosy?

Data may be worth something?

Provide gateways to other users/systems?

Introduce keyloggers, webbots, etc to seize control of many computers for DDoS attack http://www.deloitte.co.uk/ers/cyber/companies.htm

Jobs in Networks and Security

Huge misconceptions about IT jobs

This is your most important URL for all IT jobs… http://itjobswatch.co.uk